Identity theft mitigation -> Monitor Keywords
Fresh Patents
Monitor Patents Patent Organizer How to File a Provisional Patent Browse Inventors Browse Industry Browse Agents Browse Locations
site info Site News  |  monitor Monitor Keywords  |  monitor archive Monitor Archive  |  organizer Organizer  |  account info Account Info  |  
08/02/07 - USPTO Class 705 |  22 views | #20070179903 | Prev - Next | About this Page  705 rss/xml feed  monitor keywords

Identity theft mitigation

USPTO Application #: 20070179903
Title: Identity theft mitigation
Abstract: Public-key authentication, based on public key cryptographic techniques, is utilized to authenticate a person opening an account. The person provides a declaration to use only public-key authentication and a copy of his/her public key to an authorized agent, such as a credit bureau. The person provides a signed request to open an account with a merchant based on public-key authentication. This merchant requests a credit report from the credit bureau, providing the credit bureau the applicant's public key. The credit bureau uses the public key to locate a credit report. Barring theft of the user's private key, the credit report will be that of the requesting user with a high probability. The credit bureau can then provide the requested information to the merchant, and the merchant can provide notification to the person that the account is authorized or not, based on what the merchant reads in the credit report.
(end of abstract)
Agent: Woodcock Washburn LLP (microsoft Corporation) - Philadelphia, PA, US
Inventors:
USPTO Applicaton #: 20070179903 - Class: 705067000 (USPTO)

Related Patent Categories: Data Processing: Financial, Business Practice, Management, Or Cost/price Determination, Business Processing Using Cryptography, Secure Transaction (e.g., Eft/pos), Including Intelligent Token (e.g., Electronic Purse), Including Authentication
The Patent Description & Claims data below is from USPTO Patent Application 20070179903.
Brief Patent Description - Full Patent Description - Patent Application Claims  monitor keywords

TECHNICAL FIELD

[0001] The technical field generally relates to identification theft, and more specifically relates to alternatives to "fact based authentication."

BACKGROUND

[0002] Identity theft is becoming more prevalent. Many types of identity theft are a result of an unauthorized person (an imposter) using facts about another person to open or access an account in the legitimate person's name. Typically, facts include personally identifying information such as a social security number, a mother's maiden name, an address, a zip code, an employer's name, a driver's license number, or the like. The imposter need only show knowledge of the facts in order to access or open an account. Knowledge of enough facts will authorize the imposter to access and/or open an account. This process can be called "fact based authentication." Attempts to prevent identity theft have focused on keeping such facts secret.

[0003] A problem with attempting to prevent identity theft by keeping personally identifying information secret is that the identifying information is not secret and never will be, because it is known by other than the parties trying to use it for the purpose of authentication. Also, personally identifying information is typically obtainable through a variety of channels. Thus an unscrupulous imposter could obtain a person's identifying information without the person's knowledge.

SUMMARY

[0004] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description Of The Illustrative Embodiments. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.

[0005] Public-key authentication, as described herein, mitigates identity theft. Rather than determining authentication on knowledge of facts such as personally identifying information (e.g., social security number, social security number, mother's maiden name, address, zip code, employer's name, driver's license number, bank account numbers), a public-key authentication system determines authentication based on knowledge of the private key of a public key-private key cryptographic key pair. Public-key authentication helps ensure that an imposter can not open and/or access an account using another person's identity because, in part, it is an authentication mechanism in which the secret stays with the originator.

[0006] The following introduces an exemplary embodiment that consists of a process with two parts: (1) registration of the end user with a central repository of credit information that would be consulted by any institution offering an end user credit and (2) opening of an account by the end user with such an institution. Each of those two parts has two options described below: (1a) in which the end user has no prior credit history and therefore is a new person from the point of view of the credit information repository, (1b) in which the end user does have a prior credit history and needs to authenticate himself or herself to the credit information repository in order to change an existing relationship to one that rejects fact based authentication, (2a) in which the end user creates an account with a lending institution that has installed the software and modified its business processes to be part of the public-key authentication system for account creation, and (2b) in which the end user creates an account with a lending institution that has not installed that software and still relies on legacy, fact-based authentication. Option (2b) also covers the case of the end user, having switched to public-key authenticated account opening, verifies that accounts opened with fact-based authentication prior to that switch are in fact valid and will be honored by the end user.

[0007] In case (1a) of the exemplary embodiment, for a person having no previous credit history, the person first declares to one or more central repositories, such as credit bureaus, that he/she has no credit history and intends to reject the use of "fact based authentication" in all his or her account creations. The person also creates a key pair in accordance with well known public key cryptographic techniques. The person keeps the private key secret and never needs to reveal the private key. The person provides the declaration and the public key to another entity such as a credit bureau, for example. The person then registers to open an account with each of those central repositories. To register, the person generates a digital request to open a new database entry. The request is signed by the person's private key, and delivered to the entity maintaining the database (e.g., a credit bureau). Because the person registering has no previous credit history, there is no need to tie the current registration to any previous history and therefore no need to prove the person's identity to the satisfaction of the holder of that credit history. The only personally identifying information communicated in this registration will be for the purpose of satisfying regulatory requirements rather than for authentication. The request is authenticated by the public key signature. In response to this request, the person gets a new database entry with that repository and this entry can be referenced by any bank or merchant with whom that person may later want to create a charge account, get a loan, receive a credit card, etc. The database entries for an individual are similar to current credit history database entries with the exception that the individual's public key is also recorded. In addition, the database entry contains a field held secret (communicated only with the individual) which is a fully random, high entropy password that will be used if the individual's key pair gets lost, destroyed or stolen and the individual needs to register a new public key.

[0008] When the individual chooses to open an account with some merchant or bank or credit-card issuer (called the lender, below)--that is some entity to which the individual will become indebted and therefore some entity where an identity thief might open an account that victimizes the individual--that entity will naturally ask for the applicant's credit history (database entry). On receiving this credit report, the lender will see the normal credit report information but also a notice that the individual refuses to accept liability for any account opened by way of "fact-based authentication" (with specific exceptions noted in the report). Instead, the individual chooses to open new accounts via public-key authenticated transactions, online. The credit report can also list the individual's public key (or a cryptographic hash thereof). In an exemplary embodiment, regardless as to whether the human-readable credit report lists the individual's public key, an online version available from the entity keeping the individual's database entry will include the public key.

[0009] Once an individual has chosen to use public-key authentication for opening accounts with lenders, there are two options: (2a) opening that account online, e.g., via a web service, or (2b) opening the account via traditional pen and paper applications.

[0010] In case (2a), the individual runs an application (or web browser) on his or her computer, fills out the application for the new account and digitally signs the application (or client-authenticates an SSL connection via the web browser), thus proving possession of the individual's private key. The lender receives this application, confers with the credit reporting service, discovers that the public key used by the applicant is in fact the public key of that registered individual and therefore has high assurance that the applicant is the registered individual and not an identity thief.

[0011] In case (2b), the lender does not offer the web service or web site capable of accepting public-key authenticated online applications. The applicant must therefore fill out a paper form, using standard Personally Identifiable Information (PII). If the lender were to take that form and consult a credit reporting service about that individual, the lender would see the notice that the identified individual rejects new accounts created in this way--with only those exceptions listed. If the applicant in this case is an identity thief, his or her intentions will be frustrated. If the applicant in this case is the actual individual, that individual will first have contacted the credit reporting services online, authenticated by public-key authentication and added a note to his or her database record that he or she intends to create an account with lender X within date and time window Y (some predetermined amount of time) in legacy PII style. Alternatively, the individual can start the application process with the lender, get an account number from the lender, and then tell the lender to hold off completing the application process until the applicant can connect to the credit reporting service and specifically exempt that new account--listing it by account number and the name of the lender. Once the applicant has modified his or her database entry to include that notice, using public-key authenticated transaction with the credit reporting service(s), the applicant can optionally contact the lender and tell it to proceed with fetching the credit report. In that report, the lender will see itself listed as an exception to the rule rejecting fact-based account openings.

[0012] For a person desiring to switch to public-key authentication but having an existing credit history that was based on fact based authentication, the process (case (1b)) is more detailed as described below. The person will still create a key pair and register it with the credit reporting agencies, but will need to prove his or her identity strongly enough to both convince the reporting agency that this person is the one referred to in the existing database entry and to discourage the identity thief strongly enough to reduce the problem of identity theft to an infrequent problem rather than the epidemic problem that it is today.

BRIEF DESCRIPTION OF THE DRAWINGS

[0013] The foregoing summary, as well as the following detailed description, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating identity theft mitigation, there is shown in the drawings exemplary constructions thereof, however, mitigating identity theft is not limited to the specific methods and instrumentalities disclosed. In the drawings:

[0014] FIG. 1 is a flow diagram depicting an exemplary sequence of events for using public-key authentication for opening accounts;

[0015] FIG. 2 is a flow diagram of an exemplary process for using public-key authentication for a new account from the user's perspective;

[0016] FIG. 3 is a flow diagram of the process for a user with an existing credit history who wants to switch to public-key authentication for all new accounts;

[0017] FIG. 4 is a flow diagram of an exemplary process for replacing a lost or stolen public key with a new one;

[0018] FIG. 5 is a depiction of an exemplary public-key authentication system; and

[0019] FIG. 6 is a diagram of an exemplary processor for implementing public-key authentication.

DETAILED DESCRIPTION OF ILLUSTRATIVE EMBODIMENTS

Continue reading...
Full patent description for Identity theft mitigation

Brief Patent Description - Full Patent Description - Patent Application Claims
Click on the above for other options relating to this Identity theft mitigation patent application.
###
monitor keywords

How KEYWORD MONITOR works... a FREE service from FreshPatents
1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored.
3. Each week you receive an email with patent applications related to your keywords.  
Start now! - Receive info on patent apps like Identity theft mitigation or other areas of interest.
###


Previous Patent Application:
Apparatus and method for providing sealed storage in a data processing device
Next Patent Application:
Methods for operating infrastructure and applications for cryptographically-supported services
Industry Class:
Data processing: financial, business practice, management, or cost/price determination

###

Design/code © 2008 FreshContext LLC/Freshpatents.com. Website Terms and Conditions - Also read: About this Page
Patent data source: patents published by the United States Patent and Trademark Office (USPTO)
Information published here is for research/educational purposes only (and in conjunction with our Keyword Monitor) and is not meant to be used in place of the full USPTO patent document/images or a comprehensive patent archive search. Complete official applications are on file at the USPTO and often contain additional data/images (Freshpatents is currently text-only). FreshPatents.com is not affiliated with or endorsed by the USPTO or firms/individuals or products/designs/ideas related to listed patents.
FreshPatents.com Support
Thank you for viewing the Identity theft mitigation patent info.
IP-related news and info


Results in 1.82132 seconds


Other interesting Feshpatents.com categories:
Medical: Surgery Surgery(2) Surgery(3) Drug Drug(2) Prosthesis Dentistry